Identify Risks

A recent poll listed CIOs' top five concerns in the following order:

1. External hackers

2. Internal hackers

3. Terrorism

4. Natural disasters

5. Economy

This type of information can be very subjective . Opinions change based on circumstances and events. This forecast information deserves ongoing examination and backing by upper management.

Larger organizations frequently have specialists responsible to provide this component in the form of a list of threats. Even in the absence of such specialists, it is in an organization's best interest to focus on event assessment independent of impact assessment. Forecasting the chances of a fire, flood, server failure, or other disaster involves a completely different set of skills than establishing the impact of these events.

Asset Importance to the Business

Risk can be broken into two parts : the chance an incident will arise and the impact of the incident on the organization when it occurs. Successful organizations focus on these two elements separately, even though both elements must be considered .

Prioritizing an asset's importance to the business can best be accomplished by considering how the asset impacts the services being provided to the customers. This value, as opposed to the purchase price, is the critical dimension. You may notice assets that are comparatively cheap to replace whose absence stops a critical service.

In the case of IT services, this involves a service-by-service outline, the elements of which can turn out to be very extensive . Possible issues worth including are

• Lost revenue

• Threats to life and limb

• Excess expense

• Lost productivity

• Damage to assets

• Customer dissatisfaction

• Violations of law

• Career damage

By considering this information, management will find it a lot easier to make informed decisions on the amount of "insurance" to invest.

Mitigating Risks

This entire document provides strategies for mitigating disaster risks to IT services and data loss, so there is no need to repeat them here. The strategies outlined are by no means the complete list, but a broad spectrum of options to get the process started.

Resources will often become the deciding factor in what safeguards are deployed to mitigate risks. While behavioral safeguards may be implemented with policy, the remainder will involve some degree of resource commitment. This is where a good business-impact analysis report will come in handy.

By providing decision makers with the information that went into the selection of safeguards, you allow everyone to discuss the issues on equal footing. In the absence of detailed information on why you want to spend money, the decision will invariably turn to how much the safeguard costs the organization.

The business impact assessment helps the discussion stay focused on the real issues ”the risks to assets and how these risks can be reduced. Once developed, you can keep this information on file and periodically review and update it.

An ongoing demonstration of management interest through periodic review is an essential component of disaster recovery. A formalized risk assessment process will make the renewal of these reports an objective for all managers within the organization.

Good risk management is good organizational management. It entails not only programmatic and technical expertise but also good communications among all the members of the team. The risk assessment process enables risk identification, assessment, prioritization, action planning, and communication among team members . No one person on a program knows all the risks. Risk identification and management is everyone's responsibility. The important points are to keep it simple, tailor the process to meet the program needs, and follow up on a regular basis.